If you miss week1 , you may want to go read to understand the structure of my My path to AWS Certified Solutions Architect — Professional
It took over 3 week (about 9h of studies) to for me to complete this section.
Based on my studies, there are 3 main topics to address the complexity in most organization infrastructure in aws. i found the 3 topic from module 1 of the aws exam readiness, which is my number one learning source.
- Cross-account authentication and access strategies
- Multi-account AWS environments
One of the video i am recommending AWS re:invent 2018
To proceed you will need to a better understanding of IAM users, groups and roles.
Access Control or security control by individual based.
Temprary access delegation
Secure token service STS
User federation: Federated users are users with no AWS accounts. You can the have roles for these user. useful if you have non-AWS users can authenticate with an external service, such as Microsoft Active Directory, LDAP, or Kerberos.
SAML 2.0 , OpenId, User get to aws without having password be part of aws system
3 differents types of option in aws AD : Aws provide different way to use Microsoft Active directory to connect to other aws services: Aws managed Micosoft AD, Simple AD, AD connector where you have your own AD , mostly on premises and you use it to connect to aws.
The good thing with reading is you always discover some new term or features to learn about: Stop here for a second.
A sample question contains this sentence: dev team requires access to SAML-enabled applications on AWS. As you can see i am familiar with OAuth but not SAML. This is an opportunity to gogle and know more about. 10 min pause of reading something new
========================pause ============= 30 min
Turn out that OAuth and SAML are very similar. SAML stand for Security Assertion Markup Language and it is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). I have this image from my reading to show how SAML work
AD Connector and AWS SSO are 2 notions that you need to look into if you are not familiar. In fact the AD connector allow you to use your on-premises AD to connect to a SAML enable applications such as Aws SSO
This section you will need to learn more about hybrid virtual private network connection or VPN , virtual private cloud VPC and storage gateways.
- The types of Gateways in aws you will need to know.
- How do you manage VPN connections.
- File gateway, tape gateway, stored-volume and cache-volume gateway are term you will need to know.
Direct connect (DX) is the key to know when it come to networking in hybrid architecture. It can be hardware ,software or cloud VPN. How does client connect a datacenter to Aws cloud
To connect to services without internet, aws uses VPC endpoints. There is gateway endpoints and interface endpoints
Multi-account AWS environments
Most large organization often have different account in aws. How policy-based is use to manage those accounts. How do we manage billing or separate billing for example based on resources? Taging is very important in this type of account for grouping . Learn how SCP service control policy works.
Since AWS is evolving there are many new solution that you need to be studying. : Kinesis, SQS, SNS. Those new services can be use to implement strategies for reliability requirement and meed performance objectives.
As for the associate exam, i recommend reviewing Aws Elasticache, cloudfront .